Problem with expire in AD

[mamico]

In pas.plugins.ldap and node.ext.ldap (https://github.com/conestack/node.ext.ldap/blob/299f3c056570d80b0e4346ffe441490489bade63/src/node/ext/ldap/ugm/expires.py#L105) I cannot find an implementation for account expire in MS Active Directory.

IMO the implementation must have 0 or 0x7FFFFFFFFFFF (9223372036854775807) as "no expire" and the value as the number of 100 nanosecond intervals from January 1, 1601 (UTC) (aka filetime).

This is the expire specification for MS Active Directory

https://learn.microsoft.com/en-us/windows/win32/adschema/a-accountexpires

[jensens]

Sorry, IIRC the implementation was written for OpenLDAP and we had no users with AD available for checking. A PR would be probably t best way to fix it. At least I have no AD for testing available.

[rnixx]

Hi @mamico as commented here https://github.com/conestack/node.ext.ldap/blob/master/src/node/ext/ldap/ugm/expires.py#L20 the only account expiry implementation available right now is for OC shadowAccount. AD needs an implementation.

[mamico]

@jensens @rnixx thank you. Yes, I know, sorry if there was a misunderstanding. My intention was to open a feature request if someone need/wants to implement it. Otherwise if no one does, in my OSS contribution time or with a customer request, I can do a PR with the implementation.